On Fri, Jan 22, 2021 at 06:54:57AM +0200, Jouni Seppänen wrote:
> From: Jouni K. Seppänen <jks@xxxxxx>
>
> commit 7a68d725e4ea384977445e0bcaed3d7de83ab5b3 upstream.
>
> Aligning to tx_ndp_modulus is not sufficient because the next align
> call can be cdc_ncm_align_tail, which can add up to ctx->tx_modulus +
> ctx->tx_remainder - 1 bytes. This used to lead to occasional crashes
> on a Huawei 909s-120 LTE module as follows:
>
> - the condition marked /* if there is a remaining skb [...] */ is true
> so the swaps happen
> - skb_out is set from ctx->tx_curr_skb
> - skb_out->len is exactly 0x3f52
> - ctx->tx_curr_size is 0x4000 and delayed_ndp_size is 0xac
> (note that the sum of skb_out->len and delayed_ndp_size is 0x3ffe)
> - the for loop over n is executed once
> - the cdc_ncm_align_tail call marked /* align beginning of next frame */
> increases skb_out->len to 0x3f56 (the sum is now 0x4002)
> - the condition marked /* check if we had enough room left [...] */ is
> false so we break out of the loop
> - the condition marked /* If requested, put NDP at end of frame. */ is
> true so the NDP is written into skb_out
> - now skb_out->len is 0x4002, so padding_count is minus two interpreted
> as an unsigned number, which is used as the length argument to memset,
> leading to a crash with various symptoms but usually including
>
> > Call Trace:
> > <IRQ>
> > cdc_ncm_fill_tx_frame+0x83a/0x970 [cdc_ncm]
> > cdc_mbim_tx_fixup+0x1d9/0x240 [cdc_mbim]
> > usbnet_start_xmit+0x5d/0x720 [usbnet]
>
> The cdc_ncm_align_tail call first aligns on a ctx->tx_modulus
> boundary (adding at most ctx->tx_modulus-1 bytes), then adds
> ctx->tx_remainder bytes. Alternatively, the next alignment call can
> occur in cdc_ncm_ndp16 or cdc_ncm_ndp32, in which case at most
> ctx->tx_ndp_modulus-1 bytes are added.
>
> A similar problem has occurred before, and the code is nontrivial to
> reason about, so add a guard before the crashing call. By that time it
> is too late to prevent any memory corruption (we'll have written past
> the end of the buffer already) but we can at least try to get a warning
> written into an on-disk log by avoiding the hard crash caused by padding
> past the buffer with a huge number of zeros.
>
> Signed-off-by: Jouni K. Seppänen <jks@xxxxxx>
> Fixes: 4a0e3e989d66 ("cdc_ncm: Add support for moving NDP to end of NCM frame")
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=209407
> Reported-by: kernel test robot <lkp@xxxxxxxxx>
> Reviewed-by: Bjørn Mork <bjorn@xxxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> [jks@xxxxxx: backport to 4.4.y, 4.9.y]
> Signed-off-by: Jouni K. Seppänen <jks@xxxxxx>
> ---
> Backport to 4.4.y and 4.9.y: there is no skb_put_zero or ctx->tx_curr_size
> so use memset(skb_put(...)) and ctx->tx_max, respectively.
Thanks for the backport, now queued up.
greg k-h
